This document discusses building observability into serverless applications. It outlines challenges like not being able to install agents or do background processing in serverless functions. It then discusses approaches to implement logging, metrics, and distributed tracing in serverless using services like CloudWatch Logs, X-Ray, and structuring logs. The key is to do this with minimal overhead and in a way that works for asynchronous workflows between serverless functions.

1. how to build
Serverless
OBSERVABILITY
into a application

3. Abraham Wald

4. Abraham Wald

5. Abraham Wald

6. Abraham Wald
Wald noted that the study only considered the
aircraft that had survived their missions—the
bombers that had been shot down were not
present for the damage assessment.
The holes in the returning aircraft, then,
represented areas where a bomber could take
damage and still return home safely.

7. Abraham Wald
Wald noted that the study only considered the
aircraft that had survived their missions—the
bombers that had been shot down were not
present for the damage assessment.
The holes in the returning aircraft, then,
represented areas where a bomber could take
damage and still return home safely.

8. survivor bias in monitoring

9. survivor bias in monitoring
Only focus on failure modes that we were able to successfully identify
through investigation and postmortem in the past.
The bullet holes that shot us down and we couldn’t identify stay
invisible, and will continue to shoot us down.

10. What do I mean by “observability”?

11. Monitoring
watching out for known
failure modes in the
system,
e.g. network I/O, CPU,
memory usage, …

12. Observability
being able to debug the
system, and gain insights
into the system’s
behaviour

13. In control theory, observability is a measure of how well internal
states of a system can be inferred from knowledge of its
external outputs.
https://en.wikipedia.org/wiki/Observability

14. Known Success

15. Known SuccessKnown Errors

16. Known SuccessKnown Errors
easy to monitor!

17. Known SuccessKnown Errors
Known Unknowns

18. Known SuccessKnown Errors
Known UnknownsUnknown Unknowns

19. Known SuccessKnown Errors
Known UnknownsUnknown Unknowns
invisible bullet
holes

20. Known SuccessKnown Errors
Known UnknownsUnknown Unknowns

21. Known SuccessKnown Errors
Known UnknownsUnknown Unknowns
only alert
on this

22. Known SuccessKnown Errors
Known UnknownsUnknown Unknowns
alert on the absence
of this!

23. Known SuccessKnown Errors
Known UnknownsUnknown Unknowns
what went wrong?

24. These are the four pillars of the Observability Engineering
team’s charter:
• Monitoring
• Alerting/Visualization
• Distributed systems tracing infrastructure
• Log aggregation/analytics
“
” http://bit.ly/2DnjyuW- Observability Engineering at Twitter

25. microservices death stars circa 2015

26. microservices death stars circa 2015
mm… I wonder what’s
going on here…

31. microservices death stars circa 2015
I got this!

34. Yan Cui
http://theburningmonk.com
@theburningmonk
Principal Engineer @
Independent Consultant

37. available in Austria, Switzerland, Germany,
Japan, Canada, Italy, US and Spain

38. available on 30+ platforms

39. ~1,000,000 concurrent viewers

40. follow @dazneng for
updates about the
engineering team
We’re hiring! Visit
engineering.dazn.com
to learn more.
WE’RE HIRING!

42. AWS user since 2009

43. AWS user since 2009

44. new
challenges

45. NO ACCESS
to underlying OS

46. NOWHERE
to install agents/daemons

47. •nowhere to install agents/daemons
new challenges

48. user request
user request
user request
user request
user request
user request
user request
critical paths:
minimise user-facing latency
handler
handler
handler
handler
handler
handler
handler

49. user request
user request
user request
user request
user request
user request
user request
critical paths:
minimise user-facing latency
StatsD
handler
handler
handler
handler
handler
handler
handler
rsyslog
background processing:
batched, asynchronous, low
overhead

50. user request
user request
user request
user request
user request
user request
user request
critical paths:
minimise user-facing latency
StatsD
handler
handler
handler
handler
handler
handler
handler
rsyslog
background processing:
batched, asynchronous, low
overhead
NO background processing
except what platform provides

51. •no background processing
•nowhere to install agents/daemons
new challenges

52. EC2
concurrency used to be
handled by your code

53. EC2
Lambda
Lambda
Lambda
Lambda
Lambda
now, it’s handled by the
AWS Lambda platform

54. EC2
logs & metrics used to be
batched here

55. EC2
Lambda
Lambda
Lambda
Lambda
Lambda
now, they are batched in each
concurrent execution, at best…

58. HIGHER concurrency to log
aggregation/telemetry system

59. •higher concurrency to telemetry system
•nowhere to install agents/daemons
•no background processing
new challenges

60. Lambda
cold start

61. Lambda
data is batched between
invocations

62. Lambda
idle
data is batched between
invocations

63. Lambda
idle
garbage collectiondata is batched between
invocations

64. Lambda
idle
garbage collectiondata is batched between
invocations
HIGH chance of data loss

65. •high chance of data loss (if batching)
•nowhere to install agents/daemons
•no background processing
•higher concurrency to telemetry system
new challenges

66. Lambda

67. my code
send metrics

68. my code
send metrics

69. my code
send metrics
internet internet
press button something happens

71. http://bit.ly/2Dpidje

72. ?
functions are often chained together via
asynchronous invocations

73. ?
SNS
Kinesis
CloudWatch
Events
CloudWatch
LogsIoT
DynamoDB
S3 SES

74. ?
SNS
Kinesis
CloudWatch
Events
CloudWatch
LogsIoT
DynamoDB
S3 SES
tracing ASYNCHRONOUS invocations
through so many different event
sources is difficult

75. •asynchronous invocations
•nowhere to install agents/daemons
•no background processing
•higher concurrency to telemetry system
•high chance of data loss (if batching)
new challenges

76. These are the four pillars of the Observability Engineering
team’s charter:
• Monitoring
• Alerting/Visualization
• Distributed systems tracing infrastructure
• Log aggregation/analytics
“
” http://bit.ly/2DnjyuW- Observability Engineering at Twitter

77. LOGGING

79. 2016-07-12T12:24:37.571Z 994f18f9-482b-11e6-8668-53e4eab441ae
GOT is off air, what do I do now?

80. 2016-07-12T12:24:37.571Z 994f18f9-482b-11e6-8668-53e4eab441ae
GOT is off air, what do I do now?
UTC Timestamp Request Id
your log message

82. one log group per
function
one log stream for each
concurrent invocation

83. logs are not easily searchable in CloudWatch
Logs
me

84. CloudWatch Logs

86. CloudWatch Logs is an async event source for Lambda

87. Concurrent Executions
Time
regional max
concurrency
functions that are delivering
business value

88. Concurrent Executions
Time
regional max
concurrency
functions that are delivering
business value
ship logs

89. either set concurrency limit on the log shipping function (and
potentially lose logs due to throttling)
or…

91. 1 shard = 1 concurrent execution
i.e. control the no. of concurrent
executions with no. of shards

92. …

93. CloudWatch Logs

99. CloudWatch Logs

100. use structured logging with JSON

101. https://stackify.com/what-is-structured-logging-and-why-developers-need-it/ https://blog.treasuredata.com/blog/2012/04/26/log-everything-as-json/

102. https://www.loggly.com/blog/8-handy-tips-consider-logging-json/

104. traditional loggers are too heavy for Lambda

108. CloudWatch Logs
$0.50 per GB ingested
$0.03 per GB archived per month

109. CloudWatch Logs
$0.50 per GB ingested
$0.03 per GB archived per month
1M invocation of a 128MB function =
$0.000000208 * 1M + $0.20 =
$0.408

110. DON’T leave debug logging ON in production

112. have to redeploy ALL the functions
along the call path to collect all
relevant debug logs

117. EC2
Lambda
Lambda
Lambda
Lambda
Lambda
Concurrency is handled by the
AWS Lambda platform

124. sampling decision has to be followed
by an entire call chain

125. Initial Request ID
User ID
Session ID
User-Agent
Order ID
…

126. nonintrusive
extensible
consistent
works for streams

127. EC2
Lambda
Lambda
Lambda
Lambda
Lambda
Concurrency is handled by the
AWS Lambda platform

128. store correlation IDs in global variable

131. use middleware to auto-capture incoming correlation IDs

132. extract correlation IDs from invocation
event, and store them in the correlation-
ids module
reset

134. logger to always include captured correlation IDs

135. HTTP and AWS SDK clients to auto-forward correlation IDs on

136. context.awsRequestId
get-index

137. context.awsRequestId x-correlation-id
get-index

138. {
“headers”: {
“x-correlation-id”: “…”
},
…
}
get-index

139. {
“body”: null,
“resource”: “/restaurants”,
“headers”: {
“x-correlation-id”: “…”
},
…
}
get-index get-restaurants

140. get-restaurants
global.CONTEXT
global.CONTEXT
x-correlation-id = …
x-correlation-xxx = …
get-index
headers[“User-Agent”]
headers[“Debug-Log-Enabled”]
headers[“User-Agent”]
headers[“Debug-Log-Enabled”]
headers[“x-correlation-id”]
capture
forward
function
event
log.info(…)

143. nonintrusive
extensible
consistent
works for streams

144. MONITORING

146. •no background processing
•nowhere to install agents/daemons
new challenges

147. my code
send metrics
internet internet
press button something happens

148. those extra 10-20ms for sending
custom metrics would compound
when you have microservices and
multiple APIs are called within one
slice of user event

149. Amazon found every 100ms of latency cost them 1% in sales.
http://bit.ly/2EXPfbA

150. console.log(“hydrating yubls from db…”);
console.log(“fetching user info from user-api”);
console.log(“MONITORING|1489795335|27.4|latency|user-api-latency”);
console.log(“MONITORING|1489795335|8|count|yubls-served”);
timestamp metric value
metric type
metric namemetrics
logs

151. CloudWatch Logs AWS Lambda
ELK stack
logs
m
etrics
CloudWatch

153. delay
cost
concurrency

154. delay
cost
concurrency
no latency
overhead

155. API Gateway
send custom metrics
asynchronously

156. SNS KinesisS3API Gateway
…
send custom metrics
asynchronously
send custom metrics as part of
function invocation

159. TRACING

160. X-Ray

164. don’t span over async invocations
good for identifying dependencies of a function, but not
good enough for tracing the entire call chain as user
request/data flows through the system via async event
sources.

165. don’t span over non-AWS services

170. write structured logs

171. instrument your code

172. make it easy to do the right thing

173. Yan Cui
http://theburningmonk.com
@theburningmonk

174. follow @dazneng for
updates about the
engineering team
We’re hiring! Visit
engineering.dazn.com
to learn more.
WE’RE HIRING!